Don’t get held to ransom over safety data

By on

Ransomware attacks are becoming increasingly prevalent. While recent headlines may have highlighted ‘big business’ being attacked, cyber criminals are indiscriminate in the size of organisation they target.

Ransomware attacks occur when cyber criminals gain access to an IT system, often through a ‘back door’ or simply by someone clicking on a phishing link in an email. They navigate through the system, infecting it with malware, before striking and encrypting the entire system. This can paralyse a business unless adequate backups are in place. Not only is business continuity affected, but the information on the IT system can be exploited.

Recent experience shows that the cyber criminals can drip feed ‘proof of life’, showing the victim organisation what information they have taken from the IT systems. Cyber criminals recognise that personal data is a valuable asset.

The legal consequences

Data protection legislation requires any ‘data controller’ affected by a personal data breach to notify the ICO (Independent Commissioner’s Office) within 72 hours of becoming aware of it, unless it is unlikely to affect the rights and freedoms of the people concerned. Failure to do so could result in fines being imposed. However, if the breach results in a ‘high’ risk to the individuals, they also need to be told about it directly, without undue delay.

Laura Gillespie is a partner in the Pinsent Masons’ Litigation and Regulatory Compliance team, specialising in data privacy and cyber security matters.

Health and safety professionals often hold sensitive or ‘special category’ information, given the nature of their roles. If very sensitive information ends up in the hands of a cyber criminal, this could increase the risk to the individual – either because of the risk of socially-engineered identity fraud or the loss of very sensitive and confidential medical information.

As such, there can be a greater risk that information held by health and safety professionals could trigger the ‘high risk’ threshold if it gets into the hands of a cyber criminal.

People affected by data breaches have the right to claim compensation. The Supreme Court is currently considering the extent of that right in the case of Lloyd v Google LLC, but it is clear that if a ransomware attack occurs, the cost to the affected business may not just be business continuity, reputation or regulatory fines, but also claims for compensation.

How to protect against ransomware

As with any compliance programme, prevention is the best form of protection. Ensuring that regular reviews of IT ‘patches’ and security updates are run is crucial, along with back-ups which have been tested. Implementing multi-factor authentication can be another useful way to add an extra layer of protection and organisations should seek to ensure that any very sensitive information is sufficiently segregated and encrypted on the system. 

Not only is business continuity affected by a ransomware attack, but the information on the IT system can be exploited. Photograph: iStock

Incident response plans will be key but if they are stored on encrypted IT systems they may be inaccessible. Pinsent Masons has devised Cyturion, which is a remotely-hosted cyber response tool. This provides a tailored response process and is accessible from anywhere, even when systems are unavailable.

Laura Gillespie is a partner in the Pinsent Masons’ Litigation and Regulatory Compliance team, specialising in data privacy and cyber security matters.

For guidance on the UK General Data Protection Regulation (UK GDPR) see: ico.org.uk/for-organisations


Steve Perkins Headshot Bw Min

It’s time to up our game on preventing occupational diseases

By Steve Perkins, Steve Perkins Associates on 16 August 2022

“What gets measured gets managed.” So said Peter Drucker, the well-known management thinker. And it’s generally true. Unfortunately, when it comes to protecting the physical health of our workers from exposures that cause disease and death, we tend to count the corpses rather than focus on controlling the exposures that produce them.

Portrait (2) Clive Betts

Leaseholders and social housing providers on the hook for significant costs

By Clive Betts MP on 08 August 2022

Government plans to fix the building safety crisis leave leaseholders and social housing providers on the hook for significant costs, writes Clive Betts, the MP and Chair of the Levelling Up, Housing and Communities Select Committee.

Mike Robinson (3) MED.jpg

What a scorcher! How well did we respond to the heatwave?

By Mike Robinson FCA, British Safety Council on 08 August 2022

So, how was the recent heatwave for you? That is not a flippant question. I ask it in the knowledge that, almost without exception, every person in the UK and a lot in Europe, will have experienced it in one way or another this summer.